Twitter Patches Password Recovery Flaw

Twitter has revealed a serious vulnerability with its password recovery system that could have exposed the account details of almost 10,000 active Twitter users.

The microblogging service said in a blog posting that the bug affected its password recovery systems for about 24 hours last week, but it immediately fixed it after learning of its existence.

Password Recovery

Twitter admitted the bug may have revealed the account details including email addresses and phone numbers associated with the affected accounts.

“We recently learned about – and immediately fixed – a bug that affected our password recovery systems for about 24 hours last week,” said Twitter. “The bug had the potential to expose the email address and phone number associated with a small number of accounts (less than 10,000 active accounts). We’ve notified those account holders today, so if you weren’t notified, you weren’t affected.”

Twitter said that whilst the information on display wasn’t enough to login to a Twitter account, it could allow an attacker to begin a phishing or scam campaign as active email addresses and phone numbers are valuable information.

“We take these incidents very seriously, and we’re sorry this occurred,” said Twitter. And it warned of stiff penalities because if any user it discovers has “exploited the bug to access another account’s information will be permanently suspended.”

Twitter also warned that it “be engaging law enforcement as appropriate so they may conduct a thorough investigation and bring charges as warranted.”

And the company reminded its users of “the importance of good account security hygiene,” including the use of strong passwords and login verifications.

Past Issues

Problems with Twitter has recently focused on outages, but the company has suffered security vulnerabilities in the past.

In June 2014, Twitter account holders were urged to not use the popular TweetDeck client, after users were alerted to a potentially nasty bug in the platform that could lead to “mass account compromise”.

Popup alerts had emerged in some users’ browsers, as the code that exploited the bug was retweeted across Twitter. As soon as users’ browsers read the code, an alert popped up highlighting the flaw and forcing JavaScript to run on their machines.

Earlier that same year, a security researcher uncovered another flaw that had been active for a number of months. That bug in its systems affected the privacy of more than 93,000 accounts for several months.

Are you a Twitter know-it-all? Take our quiz to find out!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Apple Security Flaw Being Actively Exploited

Update now. Vulnerability impacts a number of Apple iPhone, iPad and Mac models, and the…

12 hours ago

Yale University Names Firms Still Operating In Russia

Data from Yale University shows a number of big name tech companies continue to trade…

12 hours ago

Police Arrest Four Over BT Cable Theft In North Yorkshire

Police make arrests after Openreach confirms to Silicon UK that a cable theft left 200…

1 day ago

UK Staff Resisting ‘Big Return’ To The Office, Says infinitSpace

Remote working to stay? Majority of business leaders are struggling to get staff to return…

1 day ago

Apple Axes 100 Recruiters, Amid Hiring Slowdown – Report

Hiring slowdown at Apple? Tech giant reportedly lets go 100 contract-based recruiters in the past…

1 day ago